Campfire-1

Sherlock Scenario

Alonzo Spotted Weird files on his computer and informed the newly assembled SOC Team. Assessing the situation it is believed a Kerberoasting attack may have occurred in the network. It is your job to confirm the findings by analyzing the provided evidence. You are provided with:

• Security Logs from the Domain Controller

• PowerShell-Operational Logs from the affected workstation

• Prefetch Files from the affected workstation

Q1) Analyzing Domain Controller Security Logs, can you confirm the date & time when the kerberoasting activity occurred?

We need to look for Event ID 4769, which logs "A Kerberos service ticket was requested". This event is triggered when a user requests a TGS (Ticket Granting Service) ticket, and is often abused during Kerberoasting attacks.

Get-WinEvent -FilterHashtable @{Path='C:\Users\jdoe\Desktop\Triage\Domain Controller\SECURITY-DC.evtx'; Id=4769} 
| Where-Object { ($_.Properties[2].Value -ne "krbtgt" -and $_.Properties[2].Value -notmatch '\$$') -and $_.Properties[5].Value -eq "0x17" -and $_.Properties[8].Value -eq "0x0"} 
|  Select-Object TimeCreated, @{Name="ServiceName";Expression={$_.Properties[2].Value}}, @{Name="EncryptionType";Expression={$_.Properties[5].Value}}

We need to convert this timestamp to UTC.

Answer: 2024-05-21 03:18:09

Q2) What is the Service Name that was targeted?

Answer: MSSQLService

Q3) It is really important to identify the Workstation from which this activity occurred. What is the IP Address of the workstation?

Get-WinEvent -FilterHashtable @{Path='C:\Users\jdoe\Desktop\Triage\Domain Controller\SECURITY-DC.evtx'; Id=4769} 
| Where-Object { ($_.Properties[2].Value -ne "krbtgt" -and $_.Properties[2].Value -notmatch '\$$') -and $_.Properties[5].Value -eq "0x17" -and $_.Properties[8].Value -eq "0x0"} 
|  Select-Object TimeCreated, @{Name="ServiceName";Expression={$_.Properties[2].Value}}, @{Name="EncryptionType";Expression={$_.Properties[5].Value}}, @{Name='Source'; Expression={$_.Properties[6].Value}}

Answer: 172.17.79.129

Q4) Now that we have identified the workstation, a triage including PowerShell logs and Prefetch files are provided to you for some deeper insights so we can understand how this activity occurred on the endpoint. What is the name of the file used to Enumerate Active directory objects and possibly find Kerberoastable accounts in the network?

Get-WinEvent -FilterHashtable @{Path='C:\Users\jdoe\Desktop\Triage\Workstation\Powershell-Operational.evtx'; Id=4104} 
| Select-Object TimeCreated, @{Name='Path'; Expression={$_.Properties[4].Value}}

Answer: powerview.ps1

Q5) When was this script executed?

Also we need to convert this timestamp to UTC.

Answer: 2024-05-21 03:16:32

Q6) What is the full path of the tool used to perform the actual kerberoasting attack?

.\PECmd.exe -d C:\Users\jdoe\Desktop\Triage\Workstation\2024-05-21T033012_triage_asset\C\Windows\prefetch\ --csv . --csvf campfire.csv

Next, after converting the prefetch files to CSV format, we will open the output file in TimelineExplorer for analysis.

There are numerous duplicate values present, so we'll use PowerShell to eliminate them.

Import-Csv -Path C:\Users\jdoe\Desktop\net6\campfire.csv | Select-Object -Property ExecutableName -Unique

Let's filter for Rubeus.exe in TimelineExplorer to identify the full file path.

Answer: C:\Users\Alonzo.spire\Downloads\Rubeus.exe

Q7) When was the tool executed to dump credentials?

Answer: 2024-05-21 03:18:08